Privacy Policy

1. Who we are (Data Controller)

AdFlash is the controller of your personal data. For any privacy-related question, request, or complaint you can reach us at privacy@adflash.io.

2. What data we collect

2.1 Data you provide

• Account data: name, email address, password (hashed), workspace name.
• Billing data: billing name, address, VAT number, and payment metadata processed via our payment provider (Stripe). We never store full card numbers.
• Content: ad templates, ad copy, creative assets, settings and any data you upload or generate inside the Service.
• Support communications: emails and messages you send us.

2.2 Data we receive from connected services

• Meta (Facebook) Ads: when you connect your Meta account, we access ad accounts, pages, pixels, business assets, campaign performance metrics and creative assets you authorise via OAuth, strictly to launch and report on campaigns on your behalf.

2.3 Data collected automatically

• Usage data: pages visited, features used, timestamps, referrers.
• Device data: IP address, browser type, operating system, language.
• Cookies and similar technologies: see our Cookie Policy.

3. How we use your data and legal basis

4. Sharing your data

We do not sell your personal data. We share data only with:

• Sub-processors that help us run the Service, under written data processing agreements:
• Supabase (database, authentication, storage) — EU/US
• Cloudflare (hosting, CDN, security) — global
• Stripe (payments) — EU/US
• Resend or similar (transactional email) — EU/US
• Meta Platforms Ireland Ltd. (only when you choose to launch ads)
• Authorities when legally required (e.g. court order).
• Successors in the event of a merger, acquisition, or sale of assets, with notice to you.

5. International transfers

Some of our sub-processors are located outside the EEA/UK. When data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and additional technical measures (encryption in transit and at rest).

6. How long we keep your data

• Account and content data: while your account is active, plus up to 90 days after deletion to allow recovery.
• Billing and tax records: 7 years (legal retention obligation).
• Support tickets: up to 3 years.
• Backups: rotated and overwritten within 35 days.

7. Your rights

Depending on your location you have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate data;
• Erase your data ("right to be forgotten");
• Restrict or object to processing;
• Data portability;
• Withdraw consent at any time;
• Lodge a complaint with your supervisory authority (in the Netherlands: Autoriteit Persoonsgegevens).

California residents have additional rights under CCPA/CPRA, including the right to know, delete, correct and to opt out of "sharing" for cross-context behavioural advertising. We do not sell personal information.

To exercise your rights, email privacy@adflash.io. We respond within 30 days.

8. Security

We use industry-standard measures to protect your data: TLS encryption in transit, encryption at rest, role-based access control, audit logging, and regular backups. No system is 100% secure; if a breach occurs that affects your personal data, we will notify you and the relevant authorities as required by law.

9. Children

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice at least 30 days before they take effect.

11. Contact

AdFlash — privacy@adflash.io